> The developer talks about the weaknesses of sudo, and how it has a large possible attack surface
Poettering's hypocrisy is painful.
replies(2):
Poettering's hypocrisy is painful.
Because that's what he's complaining about
https://marc.info/?l=openbsd-misc&m=171227941117852&w=2
"Liblzma ends up dynamically linked to sshd because of a systemd-related extension added by many Linux packagers that pulls in liblzma as an unrelated dependency."
https://news.ycombinator.com/item?id=39866076
"openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma."
- Linux packagers decide to patch sshd to use libsystemd for a notification, that could have been trivially done without this library.
- libsystemd depends on libzlma
- libzlma depends on xz
And therefore, systemd is insecure?
And what does this have to do with the fact that SUID is a terrible idea that needs to go?
Why was that? Would that "trivial" approach have broken the next time systemd made one of their incompatible interface changes, perhaps? Was using libsystemd the kind of thing the systemd maintainers recommended?
> And therefore, systemd is insecure?
Systems with systemd had a vulnerability that systems without systemd did not. So it certainly seems like systemd-the-system (not necessarily systemd-the-unix-process) is bad for security.